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< ?x m; ve rsion - l . 0 '* ? > 

<Ag^ n iPfCJtocoi x mi n^-- " h ttp: / /www. nai. corn" 
xmlns:>:sr'^''http?//vvwv^,w3,org/2001/XMLSchemti"m 

<Cai>trofDaca> 
<ViSf^fon>OxQ iOOQOO 1 </ ver5ton> 

< Mi rt Ver S f on > 0x0 1 00 000 1 </ M? n Ver sic n > 

< Com man d > Req y e^tCu stD m Action </Cofnfn«r}d > 

<CystomActions 

id ^"<AGHNT_iNSTAtLED_DIR> \ \CustomAaionsUbrary \\CustActl.dir^ 

<Par^^fneter id- 'Key" type- 'xs:strh)y" 

Fixnil^^ln'^><AG£NT„INSTAttED_REGKEY></P<if\arFit:l^ 
<P;sran"sett:r id 'VaJuen;sme'' typf:"- "x5;: string'' 

jncu i: " J ti " > Ao a n t V ei rsj o n < / Pc3 ra r ? ^<il:e r > 
<P^sf<3m^ter ui ^^ 'ResuJt'' cype^'xs: string' inoijj ^^"out" /> 

</Custom,Actions> 

<ajsEornAcrtiJi.s iii^^^^■(0GEDQ62A-5D69"4793-ACED-FS0BKX8t^C4AF>^'> 
■• <inC:erface id •^"{C9£iCC03-8007"412A-BrSD-532CS7Dr4482>"> 

inout - " >TestXrtstal I Procluc t </ Pa r f n<?t*'? f > 
< Pa ra m eter id " Pro<f uc tV^irsion ' ty p e - xs:d ecima \ " 

jn cRf t " " In^ > Ox 0 1 0 0 0 Q 01 </ Ps r^t mi>t e r > 
<Parafnet:er ki^ "Locatiorj" type --''xs;stf jng" 

< P;jn5 meter fd ^ " Result ' f y pe " : stn ng ' it>c.' u I o ut" / > 

- < Me th od t d = GetSy st e m D i re c tor y > 

<ParametBr id Directory" type^^xststrin^'' inout^ 'out" /> 

</Hethod> 
</Ir)terface> 
</Custom Ac bons > 

<Iriterfcce fd- H^OOOCC03-SOQ7*412A-SFSD-S32CS7DF4482>'^> 

" ^Method id- 'Tnggerllvent'*> 

inout - 'in * > 1000 < / Pararn^itar > 

<Piirafne»ter id^^EventD^scription" lype^'x.'s; decimal" 
lnout^''m''>Tfie event %€ventID«/o has been triggered by ^fn 
USERNAME^^o on comptlter %COMPurERNAH€%. The % 
FILENAMES file infected with %VIRUSNAHH=^/<>. This has 
b«€n detected fey angineversion ^/oENGINEVERSION^l'b 
datvetsiotj %DATVERSION*Vb.</P3ramet(?r> 

<Pararn^?t:er id^^'COMPUTERNAMe** tvP«^-">«^s:stnng'' 
;nout="jn''>saiircecamputer</Parafn??t0r> 

<Pasamf?ter id : 'USgRNAHE ' typsi^^i "xsrstring-' 

<Par<^m«i:er sds: ' FILENAME*' type- 'xs:s t ring" 
snotJt^''in">k€rnet32.dll</p£iramete*r> 

CUSTOJ^ ACTIONS PROTOCOL RESP XMl 



FIG. 10A 
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: n 0 u t ^ " in " > N i m bd a < / Pa ra rr ; ete r > 
<Par3meter 16^ EHGrnmERSlOH' type^^^xs:decimal" 

Inout==^"in">0x04005001</Paramet:er> 
<Para meter id - "DATVERSIO N " ly pe "xstdecmiaj" 

irrQut^"i«''>Ox07003009</Pafaineter> 

<:/Melhod> 
</ln5:erface> 
</CustomActions> 
<7Ag^ntProtocoi > 



CUSTOM A' 



.CTIQNS PROTOCOL REG KM. 
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<?x.rnl vefSion^'lJy^ ?> 



<AgentProtoc:oi xmlns-- "http: //wvvw.naixam" 
X rn 1 n s : xsi " " h tip : / / w w w av3 , o r *g / 2 0 D 1 / X M LS ch e ma ~ instis nee " 
X}f.(:schenKiLoc.^tson- ''http://vvv/w.ri3i.com CustomAcl:iDnsFrotocc>Lxs€i"> 
<ControlData> 

< r slon > 0x0 1 00 0 0 0 1 </ r^io n > 
<:Minv'er:;jan >0xO10000Ol </M inversion > 
<Comniand>RspondToCustomAction</<::omrinand> 

< S e rv^i r > d i w n ts 2 ke </Serve r > 
</ContrDlData> 

- < Cu s to m A c t: i o n ^^ 

i<l-VAGENT_INSTALLEP_DIR>\\CystomActionsLifarar^ 

< Para meter id — ''ResuJt" type^"xs:str1n<|" 

</ Method > 

' <CustamActk>ns id '^^^{O6EOO62A-SO69*4793-ACED-F8OBE1B0C4AF>"> 

- <fnt:errace ?d^"<C9ElCCO3-SOO?-412A-aF5D-532CS70F44S2>"> 
" < M eih ocJ ki ^ Hx ecu t eSil en tin st a f fa tf on " :> 

<Prnr^:tmeu?r jd^^rResult" i/pe ^^^xs^strmg" tnouc=^ 'our > Error: Invalid 
Image path specified. </P<jrameter> 
</Mathod> 
</lnterface> 

» <ln{erfac« id ^^X<^9^^CC03-SQ07-4i2A'-SF5D-532C57DF44a2>"> 
< Method fd^"GetSystemDfrectory''> 
< Parameter td^ "Directory'* type=^''xs:strtng" 

t no u t - o u t > G r \ Wi n n t \ S y s t e m 3 2 / P a ram e te r> 
< P,^j'ameXej Id^'^Rasuit" type:== "xsidecimal" 
ino u t ~ 'out" > 0 < /Paramete r > 
<yHethod> 
</!nterface> 

< / Cu s to m A Clio ns > 

< Custom Actions id^"{O6EOO62S-SO69-4793-ACED-FaOBElB0C4AF> '> 

- <:lnf:erface id <:AO00CC03-S0O7-412A-SFSD-S32CS7Dr44S2>"> 

- <t4ethod sd= 'TnggerHvent"> 

<Param6ter id-^'Rasult" type^"xs:strifig" inDUt^="out''>EverU sent to 
testcomputer2</P9rsmeter> 

</Metho<i> 
</Interrace> 

< /C Ei St a rf ] Ac 1 1 o n<i> 
/Ayef)tProtocol> 



CUSTOM ACTIONS PROTOCOL :RESP X^L 
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AgefUPf otoco I xnrt htt p > / / www . * ,co m " 
Xfnln?^ : x.ji " 'http)/ / WW w/vv3, or g / 200 1 / XT'^tLSchema-instance'' 
x:^j:s(:hem£iLoc3iicn ^^'"http://www.naKcQm CustomActtonsPrototcolvXSd 
http;//www,naLcom AgenfcConriguratjon*xsd > 

<: Vf;ry io? > > Ox 0 1 000 0 0 1 </ Ve rs k)n > 
< Mi n Vers icn > 0x0 10000 0 1 </ Mi nVe rsson > 
'vCofvuriand > RequestCustomAction </Corrimanii > 
<S€-rvar>ned Xwn ts 2ke</Server> 
</ComroiData> 

< Cu;>t:>:)n^ Ac t icjns k; ^"Re*9istryMapptfi9.dir> 
- <Method fd^'WrjteConfjg' > 
- Re9:stry Conn c} israti on 

;C? : 'HK£Y_LOCAL_MACH.ENE\SOfTWARE\McAfee"> 

<: Ve f 5:cn > 0x04 070 000 'Jers ion > 
<Di'^p}aylVam<?> Alert Manager 4*7</DrspliayN«m<ii> 

- cLanquci^e i<j- '0407 '> 

< Vt:ryjoiV->OxO too 000 2 </Vtirsi;:ri > 



<iX)HGD^ SCRIPT >OiA^ ist csmts Test- Nacf inch t van AJcirt 

Man ager. </LONGD£SCRJPT> 
<SHaRTD£5:JCPiPT.>Testmg</SH0RTD£SCRiPr> 
< Se v<: r ity > 5 < /Sei vcfi > 



</Lsinguage> 
" < Language id ^ "0409" > 

< Version > OxP i000002 </V«r?:stjri > 
- < Event \di^^^''V> 

<i.0^4GDESCR^PT>Tt1^s is an alert manager test 

m ess g e . < / tO N G D ES C R I PT > 
<SHORTDeSCRlPT>TesthigN7SllOR'rDESCRIPT> 

< Seventy >0</Sev€ir?ty> 

< En a b( ed > !</ Enabled > 

<LONGDeSCRiFT>T€Xt of ^Viiant 2*</L0NGDESCRlPT > 

< SH C RTCj ESCRI PT> Testing <;/19f-iORr y ffSCRlFT > 

< Sti V a ri ty > 1 </S« verity > 
</Bv€nt> 

</ Rt^9 EstryCo nfig uratl on > 

</^^efchod> 

< Method id^ "ReadConfig'' > 
< Re g is tp/ Con figuration 

ki- HKEY_LQCAL_MACHlNE\SOFTWARe\McAf«e\*'' /> 

< /Method > 
. /Custom Actions > 

. Ci isiri rn A ct i an id ^ " IfJ 1 Fil$? M a pp ing . d J r > 
< M et hod id ^ " Wr j teCo n f " > 
- <njeConngur3t;ori :d^"C:\Pr09r3m Piles\Alert 
Man ag e r \ AMG Coiif t g . i n i > 

- <LXtt*fU5ion5> 



AGENT COMFiG CUSTOM ACTION XML 
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<am9>AMGConflg</amg> 

<Bsf>MPEGVideo</3sf> 

< w m p >M P E G V t d e o 2 < / w r n p > 

</ExtensjOn$> 
< / Fi {eCon fiq u r a 1 1 on > 

</Hethod> 

< Method id^"ReadConfig"> 
<RfeConfigurarJon id « "C:\Program FHes\Alert 
Hartager\AMGConfig.fni'* /> 

</Method> 
< / Cm torn A cti > 
- <CustDniAct1ons id^''MAPIMappfiig.ci!l"> 
" < Method ici ^=^"WriteConfjg''> 
- <DAPIConfkjural:ron id - "/0^org/OU==Tesl:Site/CMc=iTestContafner ^ > 
< Bir^ar y Proper^/ > 01234567a9ABCDEF00000</BinaryProperty > 
</DAP[Conflgurat?on> 
</Hethod> 
- <Mel-hod id -"ReadConfig"> 

<DAPrConF^gurc^)tio^ K:i^"/0=Jorg/Oli:=iTestSile/CN==:TestContamer" /> 
< /Method > 
</Custo m Ac tio ns > 
</AgentProtocoi> 



AGENT CONRQ CUSTOM AC rK)N XfWiL 
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< ?xrnl' version " 1 .0" ' > 

<AHGEvenls xrnins^^^^http://www>naLcom'' 

xs!:schemaLocafcn^^'*http:// www. nai.com AMGEvents.xsd"> 
" <Prodtict id " ''Afert N£*fiager"> 

<Version>Ox04070000</Veraon> 
<D?GplayNarne> AJert Manager 4.7</Di5p5ayName> 
" < Language id ^ '0407" > 

< Ve r siori > Ox 0 1 0 0 00 O 2 < / Ve r jsio n > 

- < Event td^"i"> 

<LONGDESCRIPr>Das ist eine Test-Nachrkht von Aiert 

Manager. </tONGDESCRlPT> 
<SHORTDf^SCRIPT>Testtog</SHORTDESCRU^T> 
<Sev6r5ty > 5</Seventy> 

< f: nabfed > 1 < / E n £j b led > 
</Event> 

</LanguciQe> 

<Verslon>Ox01000002</Vert>Joa> 

< Event Jd-'*i''> 
<lONGDFSCRIPT>Tlijs Is an alert manager test 
messge.</LONGDESCR]PT> 

<SHORTDesCRrPT>Testing</SHQRTDESCRiFr> 

< Sever ity > 0 </Se verity > 

< EnaNed > 1 </Enabled> 
</Event> 

- <Event id::^"2^'> 

<:lONGDESCRIPT>Text of event 2*</L0NGDf:SCF<iPr> 
<SHORTD£SCKlFT>Testm<J</SHGRTDESCR!PT> 
<Seveni:y> i </Severlty > 
</Event> 
" <Evenl id-""3''> 

<LONGDESCRiPT>Text of event 3.</L0NGDESCRIRr> 
<SHORTD6SCRIPT>Testing</SHOR7PESCRiPT> 

< Se V e r j ty > 1 < /S e? vfs r icy > 

• < Event td^"4^> 

<LONGDESCRiPT:>Text of event 4,</L0NGDESCRJPT> 
<SHOR I DuSCRIPT>Test!ng<'/SHORTD£SCRiPT> 

< Seventy > X </Severity > 
</Event> 

</ Languages 
</Product> 
</AMGEv^'nts> 
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< ?xml version ==="1.0" encoding ^^'UTF-S" ?> 




< xs : schema targetNamesp^ir e ^''http:/ / www.naucom" 
xmlns" "http: / / www.tiaLcom" 

xmfns:xs^*http://www,w3/org/2001/XMtSchem3'* 

elernentFormDefauU-"quaMfied''> 

<xs:element name^"Di$playName" type^'"xs:string" /> 
<xs;eiement name==*' Enabled" type ^^^"xs: boolean^ /> 

- <xs:compfexType na mix! ~"EventType"> 
" <xs:aH> 

<xs:element ref^^tONGDESCRIPT" /> 
<xs:eteme:nt reN'^SHORTDESCRIPT" /> 
<xs:element mf^ "Severity" /> 
<xs:eJefn6nc ref^^^ "Enabled" mjnOccurs-""0" /> 
</xs:all> 

<xs: attribute name^^^'id'' t:ype^"xs:sl:riii9'* U55e^'*required*' /> 
</xs: comptexType> 
■ <xs:comp{exType name-:^"tanguageType"> 

- <xs:sequenc8> 

<xs: element ref= "Version" /> 
<xs:element name===''Event'' lype^"EveiitType'' 
roaxOcicurs^ •'unbounded'* /> 
</xs:sequence> 

<x$:attribute name^'ld" type ^"xs: string" use =^ required* /> 

</xs : complexType> 

- <xs:eiement name^"Prodiict"> 

- <xs:complexType> 

- <xs:sequBnce> 

<xs:eiement ref-"Version" /> 
<xs:etement ref^s" Display Name /> 
<xs:efement name^^^'Language" type "tan guagetype" 
maxOccurs"- "unbounded" /> 
</xs:sequence> 

<xs:atrribute namG=:="id" type^"xs:strtng^* use "required" /> 
</xs : compiexType> 
</xs:e}ement> 

<xs;e}em«ot name^=^''AHeEvenls^> 

- <xs:cornplexType> 

- <xs:sequence> 

<xs:eiement ref^** Product" f7iaxOccurs=^'*unbounded' /> 

</xs: sequence > 
< /xs : com plex Ty pe > 
</xs:elern€nt> 

<xs:element: name^^'LONGDESCRIPT" type^"xs:string^ /> 
<xs:etem6nt aame"^"SHORTDESCaiPT" t:ype^"xs;strmg'' /> 
<xs:e}ement na me "Severity'' rype^"xs: string" /> 
<xs;elefnent name^^^^'Version'* type:^"xs:sJtHng" /> 

/xs : schema > 
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